On 6/19/23 2:08 AM, Masataka Ohta wrote:
Matt Corallo wrote:
Both in theory and practice, DNSSEC is not secure end to end
Indeed, but (a) there's active work in the IETF to change that (DNSSEC stapling to TLS certs)
TLS? What? As was demonstrated by diginotar, PKI is NOT cryptographically secure and vulnerable to MitM attacks on intermediate intelligent entities of CAs.
Note that diginotar was advertised to be operated with HSMs and four-eyes principle, which means both of them were proven to be untrustworthy marketing hypes.
Even more reason to do DNSSEC stapling! It avoids some of the CA issue (well, it would if you could make it required, I don't believe the current design is required, sadly).
and (b) that wasn't the point - the above post said "It’s not like you can really trust your packets going to B _today_ are going to and from the real B (or Bs)." which is exactly what DNSSEC protects against!
As long as root key rollover is performed in time and intermediate zones such as ccTLDs are not compromised, maybe, which is why it is not very useful or secure.
The following description
https://en.wikipedia.org/wiki/DigiNotar Secondly, they issued certificates for the Dutch government's PKIoverheid ("PKIgovernment") program. This issuance was via two intermediate certificates, each of which chained up to one of the two "Staat der Nederlanden" root CAs. National and local Dutch authorities and organisations offering services for the government who want to use certificates for secure internet communication can request such a certificate. Some of the most-used electronic services offered by Dutch governments used certificates from DigiNotar. Examples were the authentication infrastructure DigiD and the central car-registration organisation Netherlands Vehicle Authority [nl] (RDW).
makes it clear that entities operating ccTLDs may also be compromised.
This is totally unrelated to the question at hand. There wasn't a question about whether a user relying on trusted authorities can maybe be whacked by said trusted authorities (though there's been a ton of work in this space, most notably requiring CT these days), it was purely about whether we can rely on pure "I sent a packet to IP X, did it get to IP X", which *is* solved by DNSSEC. I agree DNSSEC does not solve all issues with client security, but it doesn't have to, it *does* solve the issue of a BGP hijack against an authoritative DNS server being able to respond with whatever IPs it wants (and then get TLS certs because of it). Matt